How to secure communication between Apigee Edge Proxy and Backend service?

Not applicable

I have read a lot of documentation about configuring apigee's proxies and it seems there are not many options to secure your backend endpoint (which is behind the proxy)

  • with white-list policy - in that way backend endpoint will accept requests only from apigee proxy and deny everything else;
  • two-way TLS as described here

Which one is a best practice? Is there any other way to secure backend endpoint? Please, share your experience and, if possible, point me to some resources I can read about security measures you have applied.

Solved Solved
1 5 1,863
1 ACCEPTED SOLUTION

Here's the documentation describing the configuration of two-way TLS: http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service#configuringtwowaytl...

I believe there is a video; I'll try to track it down if someone doesn't beat me to it.

You can combine whitelisting with two-way TLS if you wish to add that extra bit to the equation; it's not a one vs. the other sort of thing.

View solution in original post

5 REPLIES 5

Not applicable

I have the exact same question. My colleague found this article https://community.apigee.com/questions/21613/vpn-connections-to-aws-apigee-edge-cloud.html

Is there a video that could be provided utilizing 2-way TLS that is recommended in the solution?

Here's the documentation describing the configuration of two-way TLS: http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service#configuringtwowaytl...

I believe there is a video; I'll try to track it down if someone doesn't beat me to it.

You can combine whitelisting with two-way TLS if you wish to add that extra bit to the equation; it's not a one vs. the other sort of thing.

Yes, I know that those are different things. Question is about whether white-listing is sufficient for securing backend from unauthorized calls or I have to spent more efforts on implementing TLS? What other developers do? I believe that it is a common problem, so there should be a golden mean between efforts and security level.

What's sufficient depends quite a bit on the nature of the api. Is it less sensitive information and you simply want to enforce that traffic routes though the Apigee layer? In that case whitelisting may be enough. There is some management overhead with configuring and maintaining the certs for two way TLS, so depending on why you're securing it that might be more than you want to do. If there's any question as to the sensitivity of the data I think I would lean towards conservative approach to risk and configure two-way TLS. There are additional options you could look to, if the back end system supports them. Attaching a claim to the request, jwt or saml, eg. could be done at the apigee layer and that claim could be validated before handling the request. That requires more on the target side, but if it's already there it might be worth considering something like that. Wouldn't have to be a claim, could be some other type of auth. It can be a challenge to balance complexity vs risk. I'm not sure there is a perfect answer.